1 #!/bin/sh 2 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # This script generates two chains of test certificates: 8 # 9 # 1. A (end-entity) -> B -> C -> D (self-signed root) 10 # 2. A (end-entity) -> B -> C2 (self-signed root) 11 # 12 # in which A, B, C, and D have distinct keypairs. C2 is a self-signed root 13 # certificate that uses the same keypair as C. 14 # 15 # We use these cert chains in 16 # SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that 17 # SSLInfo objects see the certificate chain as validated rather than as 18 # served by the server. The server serves chain 1. The client has C2, NOT D, 19 # installed as a trusted root. Therefore, the chain will validate as chain 20 # 2, even though the server served chain 1. 21 22 try () { 23 echo "$@" 24 "$@" || exit 1 25 } 26 27 try rm -rf out 28 try mkdir out 29 30 echo Create the serial number files. 31 serial=1000 32 for i in B C C2 D 33 do 34 try /bin/sh -c "echo $serial > out/$i-serial" 35 serial=$(expr $serial + 1) 36 done 37 38 echo Generate the keys. 39 try openssl genrsa -out out/A.key 2048 40 try openssl genrsa -out out/B.key 2048 41 try openssl genrsa -out out/C.key 2048 42 try openssl genrsa -out out/D.key 2048 43 44 echo Generate the D CSR. 45 CA_COMMON_NAME="D Root CA" \ 46 CERTIFICATE=D \ 47 try openssl req \ 48 -new \ 49 -key out/D.key \ 50 -out out/D.csr \ 51 -config redundant-ca.cnf 52 53 echo D signs itself. 54 CA_COMMON_NAME="D Root CA" \ 55 try openssl x509 \ 56 -req -days 3650 \ 57 -in out/D.csr \ 58 -extensions ca_cert \ 59 -extfile redundant-ca.cnf \ 60 -signkey out/D.key \ 61 -out out/D.pem \ 62 -text 63 64 echo Generate the C2 root CSR. 65 CA_COMMON_NAME="C CA" \ 66 CERTIFICATE=C2 \ 67 try openssl req \ 68 -new \ 69 -key out/C.key \ 70 -out out/C2.csr \ 71 -config redundant-ca.cnf 72 73 echo C2 signs itself. 74 CA_COMMON_NAME="C CA" \ 75 try openssl x509 \ 76 -req -days 3650 \ 77 -in out/C2.csr \ 78 -extensions ca_cert \ 79 -extfile redundant-ca.cnf \ 80 -signkey out/C.key \ 81 -out out/C2.pem \ 82 -text 83 84 echo Generate the B and C intermediaries\' CSRs. 85 for i in B C 86 do 87 name="$i Intermediate CA" 88 CA_COMMON_NAME="$i CA" \ 89 CERTIFICATE=$i \ 90 try openssl req \ 91 -new \ 92 -key out/$i.key \ 93 -out out/$i.csr \ 94 -config redundant-ca.cnf 95 done 96 97 echo D signs the C intermediate. 98 # Make sure the signer's DB file exists. 99 touch out/D-index.txt 100 CA_COMMON_NAME="D Root CA" \ 101 CERTIFICATE=D \ 102 try openssl ca \ 103 -batch \ 104 -extensions ca_cert \ 105 -in out/C.csr \ 106 -out out/C.pem \ 107 -config redundant-ca.cnf 108 109 echo C signs the B intermediate. 110 touch out/C-index.txt 111 CA_COMMON_NAME="C CA" \ 112 CERTIFICATE=C \ 113 try openssl ca \ 114 -batch \ 115 -extensions ca_cert \ 116 -in out/B.csr \ 117 -out out/B.pem \ 118 -config redundant-ca.cnf 119 120 echo Generate the A end-entity CSR. 121 try openssl req \ 122 -new \ 123 -key out/A.key \ 124 -out out/A.csr \ 125 -config ee.cnf 126 127 echo B signs A. 128 touch out/B-index.txt 129 CA_COMMON_NAME="B CA" \ 130 CERTIFICATE=B \ 131 try openssl ca \ 132 -batch \ 133 -extensions user_cert \ 134 -in out/A.csr \ 135 -out out/A.pem \ 136 -config redundant-ca.cnf 137 138 echo Create redundant-server-chain.pem 139 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ 140 > ../certificates/redundant-server-chain.pem" 141 142 echo Create redundant-validated-chain.pem 143 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem \ 144 > ../certificates/redundant-validated-chain.pem" 145 146 echo Create redundant-validated-chain-root.pem 147 try cp out/C2.pem ../certificates/redundant-validated-chain-root.pem 148 149
